PYSEC-2024-148

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

CVE-2024-24560 Vyper external calls can overflow return data to return input buffer

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

CVE-2024-24560

CVE-2024-24560 concerns Vyper’s handling of external calls, where the return buffer can overflow into the input buffer due to memory layout and the RETURNDATASIZE length check for dynamic types. The result can cause a contract to read malformed data from the input buffer instead of the intended r...

CVE-2024-24560 Vyper external calls can overflow return data to return input buffer

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

CVE-2024-24560 Vyper external calls can overflow return data to return input buffer

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

CVE-2024-24561

CVE-2024-24561 (Vyper) : The vulnerability is in the built-in slice() bounds check for Vyper up to version 0.3.10, where the runtime check does not account for overflow of start + length when arguments are non-literal. This can enable out-of-bounds (OOB) access to storage, memory, or calldata and...

CVE-2024-24561 Vyper bounds check on built-in `slice()` function can be overflowed

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice function uses a non-literal argument for the start ...

PYSEC-2024-151

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...

CVE-2024-24567 raw_call `value=` kwargs not disabled for static and delegate calls

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...

CVE-2024-24567

The CVE-2024-24567 issue concerns Vyper, a Pythonic language for the Ethereum VM. The vulnerability is in the Vyper compiler’s raw_call builtin, where a value argument can be passed even when the call is delegatecall or staticcall. However, due to the semantics of delegatecall/staticcall opcodes,...

CVE-2024-24567 raw_call `value=` kwargs not disabled for static and delegate calls

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...

PT-2024-21468

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The issue is related to a circular locking dependency in the KVM Kernel-based Virtual Machine component of the Linux kernel, specifically on arm64 architectures. The problem arises becau...

kernel: SEV-ES local priv escalation

A buffer overflow and null pointer dereference flaw was found in the Linux kernel's Secure Encrypted Virtualization SEV implementation for AMD functionality. This issue occurs when a user in SEV guest VM accesses MMIO registers, which could allow a local user to crash the system or escalate their...

Virtuozzo Hybrid Infrastructure 5.4 Update 4 Hotfix 6 (5.4.4-150)

This update provides stability and performance improvements. Vulnerability id: VSTOR-79658, VSTOR-80254 Reworked eligibility checks for third-party packages. Vulnerability id: VSTOR-79881 For S3 objects uploaded by using multipart upload, replacing one object with another with the same name may...

Xen Code Issues Vulnerabilities

Xen is an open source virtual machine monitor product from the University of Cambridge, UK. The product enables different and incompatible operating systems to run on the same computer and supports runtime migration to ensure uptime and avoid downtime. A security vulnerability exists in Xen that...

`cosmwasm` is unmaintained

The crate cosmwasm is not used anymore since spring 2020. The functionality was split in multiple different crates, such as the standard library cosmwasm-std and the virtual machine cosmwasm-vm. An overview can be found in the cosmwasm repository. If you have this crate in your dependency tree,...

The vulnerability of the Java VM component of the Oracle Database Server management system allows a hacker to gain access to read, modify, or delete data.

The vulnerability of the Java VM component of the Oracle Database Server management system is related to insufficient validation of input data. Exploiting this vulnerability can allow an attacker, operating remotely, to gain access to read, modify, or delete data...

CVE-2024-22419

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the buildIR for concat doesn't properly adhere to the API of co...

Buffer overflow

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the buildIR for concat doesn't properly adhere to the API of co...

CVE-2024-22419

CVE-2024-22419 affects the Vyper compiler/runtime: the built-in concat can write past the allocated memory buffer, potentially corrupting memory and changing contract semantics. The root cause is the build_IR path not properly conforming to the copy_bytes API for versions >= 0.3.2, enabling a ...